One basic, essential component of games are forms. HTML forms. They provide a simple-to-use interface for the user to interact with the game. Forms allow the player to register, login, buy units, allocate resources, etc. by sending information from the player to the server. Interaction can also be done with links (sending data through URL parameters), AJAX, and more, but forms are probably the most common.

Forms are used to add or make changes to the player, whatever they control, and maybe global game variables. These changes are the backbone of the gameplay, and provide the user with control/choice, and gives the server some information to work with.

There are two common ways that this information is used. One way is that the player submits forms, and that submitted information changes certain variables. They might also be able to submit commands, which will be performed on the next tick. That’s right, I’m talking about tick-based games. Ticks occur in time intervals, and on each tick, the server takes all the new data (that the player changed) and calculates the result for everybody all in one go. The tick will also execute the commands submitted by the player (eg. build a house). In this way, changes to the entire game world happen on the tick, while individual changes to player data happen when the players submit forms.

Another way is that the information is used immediately, and a result is shown to the user. These are generally real-time games. For example, a user selects which units they want to send to attack another player, and submit the form. The server takes that information, processes it, and displays the result to the player on the next page without any delay.

This poses a problem. In tick-based games, the ’speed’ of the game and of the players is limited by the ticks. Players can only do so much in one tick that they need to wait until the next tick before they have resources available again. This keeps the game at a steady pace, and allows slower players a chance to keep up with the others. However, in a real-time game, players can keep playing without any limits. To restrict players, many games use ‘turns’. Every action in the game takes up a number of turns, and when their turns are used up, they need to wait until they have more turns. (Turns are usually given/recharged in time intervals, similar to ticks.)

Another way to limit the speed of the game is to put a cost on certain actions, and introduce currency/resources. If particular actions use up resources, and resources are not infinite, then those actions are also limited.

Do you want to display item/unit/building information on your PBBG, but find that your tables are getting too big, and your divs are cluttering up the page? Use tooltips to display this information in a compact and stylish way!

There are several ways to do this, and of course you can customize your tooltips so they fit right into your PBBG. There are already a few javascript libraries available on the internet which will allow you to use tooltips easily, so I will introduce two of these libraries. If you don’t like them, I’m sure there are more on the Internet!

BoxOver
This is a javascript library that is used by Google on Google Sites (read more about BoxOver on its wikipedia article). Unfortunately, at the time of writing the official BoxOver website is not available. I did find a copy of the Javascript file however. With this library, you set all the tooltip texts/header/styles/other options by using the title attribute in your HTML tags, so it is possible to use these tooltips on many HTML elements.
Examples: http://www.norfolk.gov/cultural_affairs/boxover/example.html

Walter Zorn Tooltip
This library is a bit more advanced than the BoxOver library, and allows you to write your own extensions to create amazing tooltips! However, it may be slightly harder to use/set up, as you must use the onmouseover and onmouseout triggers to display/close tooltips.

Here are some ideas you might want to try out when using tooltips:

• Create your own tooltip! Make it match your game’s style and theme so it will be unique!
• You could also try using AJAX to directly fetch information from a database, so that the information you present will never be out of date and will require little maintenance!
• Use HTML! The libraries I introduced above allow HTML in the actual tooltip text, so don’t hesitate to add images and tables.

The idea of sharing characters, objects and user information across multiple games and environments has always interested me.

I’ve got a simplistic idea on how this could be done and wanted to share it.

Some assumptions:

Let’s assume we have 3 environments (games) Game A, B and C. They are similar in some concepts and vastly different in others.

Let’s assume we have one user, Joe, who wants to play in all three environments.

Step 1:

Joe signs up for Game A and plays it. All information is stored within Game A as normal.

When Joe logs out of Game A. He is given a url that will contain all his information.
www.GameA.com/userInfo.php?userID=10

Next Step:

Joe now wants to play Game B. He has the option of entering in his url or registering as normal.

Once given a url Game B will request Joe’s information from Game A.

Game A will response with pair values, like so:

UserName=Joe
Email=joe@somewhere.com
Score=1000
Money=500
CharacterName=Killer
CharacterHP=50
CharacterMagic=40
etc…
etc…

Game A will also record the fact that Game B requested information. This will come into play when Joe goes back to playing Game A.

Game B will take the values it can use and create/update Joe’s account within it’s game environment. Such as UserName, Score and Money. (Maybe this game does not have characters)

Next Step:

Joe is done playing Game B. As he logs out he is given the opportunity to get a new URL or he can update Game A.

If Joe decided to update Game A, Game B will send a request to Game A letting it know the url it can find an update at.
www.GameB.com/userInfo.php?userID=99

Game A will go to that url and process all of Joe’s information, updating it’s stats as needed.

Thoughts:

One of the advantages of this system is that if Site A were to disappear or be unavailable, Joe still retains all the information from Game B. It’s even possible for him to save information from Game A, if the site does disappear, if Game B has it saved.

For those who are worried about malicious use of the system, it would be quite easy to code the update process to only allow updates from certain game sites. If you did not want to see updates from Game C, you could exclude that site from your updates by looking at the request url.

Alternatively someone could offer a service where “trusted” games can exchange information.

The user information could be in an XML document, but I have found that the ease with which you can build key pair values is easier to build and search then XML documents. I know the advantages, I personally don’t think the advantages out weigh the disadvantages in this case.

This is a stab in the dark any thoughts and comments are appreciated.

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.

nl2br()

PHP already has several useful functions that can be used to sanitize strings. The first function I want to talk about is nl2br(). It doesn’t really help in security, but it is great for readability when you need to display stuff. It inserts a br tag at the end of each new line.

When it should be used: This tag should only be used when data is being displayed in a non-editable form, such as in a forum or a user profile. When it is displayed in an editable form such as a textarea, or when it is being added into the database, you don’t want to use this function because you want to preserve the original text. If the text is being edited by a user, they might be wondering why there are suddenly HTML tags all over their text.

strip_tags()

If you want to get rid of HTML in text, you can use this function. strip_tags() will attempt to remove all HTML and PHP tags. You can also set which tags to allow! However, this function is not reliable, and can have unwanted side-effects. Even if you allow only ’safe’ tags, attributes of HTML tags will not be altered, and can still be dangerous by adding attributes such as ‘onmouseover’.

When it should be used: If you really are not picky about security, you could use this function as a very primitive form of removing HTML whenever the formatted text is being inserted into the database. There is no need to ‘only’ use this function when the text is being displayed to the user, since the HTML tags are not meant to be preserved, but removed permanently. However, this function still cannot protect you from SQL injections or XSS attacks.

htmlentities() and htmlspecialchars()

If you don’t want to remove the HTML tags, but instead display them, you can use either of these functions. They will convert characters into their corresponding HTML entities. The difference between the two functions is that htmlspecialchars() will only convert a limited set of characters (see PHP manual), while htmlentities() will attempt to convert everything.

When it should be used: These functions should be used when the text is being displayed, not processed, for the same reasons as for nl2br() - you’ll probably want to preserve the original text. Remember to add ENT_NOQUOTES as a parameter of the functions to convert double and single quotes.

addslashes()

This function will add backslashes to text to escape all quotes and backslashes.

When it should be used: addslashes() should be used on GET/POST/REQUEST/COOKIE data if magic_quotes_gpc is off. If it is on, backslashes will be added automatically. addslashes() should be used when you are inserting data in the database. This function is useful because it escapes quotes, which could potentially break out of any SQL queries you run with the original data.

stripslashes()

stripslashes() will remove backslashes from your message. Double backslashes will become a single backslash.

When it should be used: stripslashes() should be used on all GET/POST/REQUEST/COOKIE data if and only if magic_quotes_gpc is on and you want to display that data immediately. Otherwise, stripslashes() should be used when you are displaying data from the database which have already had their quotes escaped (with addslashes() or magic quotes).

mysql_real_escape_string()

This function is supposed to take care of SQL injections. It will escape all special characters in any values/queries that you pass a parameter.

When it should be used: This function should be used when you are inserting user-submitted text into the database. This function should not be used in conjunction with addslashes(). Any quote escaping will be done automatically by this function. I haven’t personally used this function before so I don’t know how effective it is.

HTMLPurifier

HTMLPurifier is a library for cleaning up HTML. You choose which tags to allow, or none at all, and the library will take care of the rest. I like to think of this as an advanced and more useful strip_tags() function.

When it should be used: HTMLPurifier’s functions should be used whenever data is being processed and added into the database, so that when the text is displayed, there won’t be any faulty code or hidden HTML tags. HTMLPurifier is very useful for protection against XSS attacks, and is also very flexible, allowing your users to use HTML tags safely.

Of course, these aren’t the only solutions available! There are plenty of other functions, and you could also make your own functions to sanitize strings.
If you have your own methods of sanitizing user-submitted text, please leave a comment and share your methods with us!

To make this point (and as a shameless plug) I want to mention two : my game WMD Tank Battle, a multiplayer conquest game written in Perl, and RangerSheck’s Pioneers of Aethora, a tactical RPG written in Ruby on Rails.

Perl and mod_perl are old workhorses of the web, and Ruby on Rails is the latest greatest world-changing web framework, but both games make heavy use of shiny techniques like AJAX to minimize page loading and provide other features - Aethora has a built in chat, and uses the Prototype and Scriptaculous libraries for a great tactical map and drag/drop inventories. WMD Tank Battle uses CSS Sprites and javascript vector graphics for silly 2d animation and a real-time “missile command” game.

There are others around too - Urban Dead is one of the most popular web games ever and it’s sporting the “.cgi” extension. Know any other good ones ? Please comment!

MyMiniCity is a simple ‘game’ where you can pick a country, name your city and start getting people to click on your link. Every time somebody clicks on your link, your city will increase in population, and so your city grows. As your city becomes bigger, you get more links to manage unemployment, transport, crime and pollution, so just getting citizens isn’t enough!

Your city is ranked against other cities in the same country, and the largest cities have huge skyscrapers and buildings, while you start off with a simple house in the middle of nowhere. As your city grows, so will its land, and more buildings will be added, and older buildings will become bigger.

There isn’t really any skill involved in the game, except a skill of getting people to click your links. You can check in from time to time to see how your city is doing.

To see a demo of what MyMiniCity is like, I registered a city called PBBG Blog. You can view it here: http://pbbg.myminicity.com/

A few comments on this blog were made on SQL Injection, so I thought I’d post some thoughts. There are many articles about how to prevent SQL injection, I am going to cover just a few techniques.

The Problem
If you don’t know what SQL Injection is Google it, but quite simply it is a way for external forces to execute SQL statements on your database. Statements like:

delete from user (scary)
update user set life = 100000000 (hacker)

Most of these types of hacks happen when a user types specific things into a text box or address bar. This being the case you want to “clean” all incoming input. Rule of Thumb: Very rarely trust and always verify. (Trust but verify?)

The reason this hack works is because when you use a variable in a sql statement it can contain malicious code. For example the following piece of codes is suspect to SQL Injection:

$sql = “Select * from user where username = ‘$username’ and password = ‘$password’;”
mysql_execute_query($sql);

If the user uses the following as their username ‘;delete from user; it will delete all users from your tables.

The Solution
Clean all your variables. I run all variables, regardless of how I use them through a clean function. The clean function is responsible for removing quotes and cleaning up odd characters.

This takes a variable, cleans it and returns it. If you use this code, please add your own steps to ensure protection of your data, this is a simplistic clean function. Below is some of the function:

function clean($value)
{
$value = trim($value);

$value = strip_tags($value);

$value = mysql_real_escape_string($value);

if (!get_magic_quotes_gpc())
{
$value = addslashes($value);
}

$value = rtrim($value);

return $value;
}

I use this function like so:

$sql = “Select * from user where username = ‘” . clean($username) . “‘ and password = ‘” . clean($password) . “‘;”
mysql_execute_query($sql);

Another Solution
The other step I take is that I have overwritten the mysql_query function so that it replaces my table names. I want to make it difficult for people to guess my table names, so I have the following function:

function executeQuery($sql)
{
$sql = str_replace(”s_”, “game_”, $sql);
$q = mysql_query($sql) or die(”SQL Error on $PHP_SELF: ” . $sql);

return $q;
}

This replaces any s_ with game_, I might name my table “game_user” however my sql would be select * from s_user.

Hopefully this helps those who have questions about SQL Injection. And again, this certainly does not fully cover the topic.

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.

For those of you who are wondering, mySQL is used in browser based game design quite often.

Select Statement

The select statement is used to get information from the database. It consists of 3 parts. The Fields the tables and the where clause.

SELECT [TABLE].[FIELDS]
FROM [TABLE]
WHERE [TABLE].[FIELD] = [VALUE]

select user.email
from user
where user.username = ‘mobeamer’

• Fields - Can contain a list of fields that you want to select.
• Table - will contain one, possibly more tables that hold the fields
• Where - This will allow you to restrict the information you receive.

Notice that I surrounded mobeamer with quotes, this is needed for strings and is good practice for other data types. A good rule of thumb is when in doubt add quotes.

Notice that I fully qualified the fields by putting the table name in front of the field name. This is not needed when writing a simple select but it is considered good form AND it will come in handy when you decide to “upgrade” your SQL statement (see joins).

Inner Join

An inner join will allow you to pull information from multiple tables with one query. The syntax for an inner join is as follows:

SELECT [TABLE].[FIELDS]
FROM [TABLE]
INNER JOIN [TABLE] ON [TABLE].[FIELD] = [TABLE].[FIELD]
WHERE [TABLE].[FIELD] = [VALUE]

Let’s say you have a user table which contains all the player’s information. You also have a units table that contains all the units that a player can have. You need a select statement which will get the player’s name and the unit’s name. In this instance my unit table has a column called ownerID which holds the userID of the owner.

select user.username, unit.unitname
from user
inner join unit on unit.ownerID = user.userID
where user.username=’mobeamer’

Another example:

select user.username, unit.unitname
from user
inner join unit on unit.ownerID = user.userID
where unit.class = ‘Warrior’

In most cases your joining field will be named the same in both tables, but I wanted to show how this was not necessary.

Notice, that you must fully qualify fields that exists in both tables. You should be aware when using an inner join, as in the first example, if the user does NOT have any units they will NOT appear in the result set.

Be very careful with inner joins as they ALWAYS restrict the result set. (See outer joins)

Outer Join

An outer join works in the same fashion as an inner join with one exception. The join will NOT restrict the returned set For example, in the example above, a player may not have a unit. In this case, an inner join would not pick up that player’s name. An outer join on the other hand would pickup this player.

select user.username, unit.unitname
from user
outer join unit on unit.ownerID = user.userID
where user.username=’mobeamer’

This will get all user, regardless of how many units they have.

Notice, the first table in the select statment begins the result set. Every outer join from there on can only add rows or columns to the recordset.

A good rule of thumb is to always use an outer join as you will never lose data with an outer join.

How I do It

This is how I write a complicated sql statement, this may not be best practices but I think it may add some context.

I wanted to create a page, which displays a player’s profile. I knew I needed a number of fields from the player’s table, unit’s table and item’s table. (Items are things that the unit holds)

I knew I wanted to display all players that had registered, so I started there.

Select user.username, user.numKills
from user
where user.isRegistered = ‘Y’

I then wanted to display the unit’s name, class and life

Select user.username
, user.numKills
, unit.unitName
, unit.class
, unit.life
from user
left outer join unit on unit.ownerID = user.userID
where user.isRegistered = ‘Y’

I then wanted to display all the items that the unit held, and the item’s description

Select user.username
, user.numKills
, unit.unitName
, unit.class
, unit.life
, item.itemName
, item.itemDescription
from user
left outer join unit on unit.ownerID = user.userID
left outer join item on item.unitID = unit.unitID
where user.isRegistered = ‘Y’

This was the sql that I ended with.

Further Articles
Good ideas to follow this up with:

• Updates, Inserts and Deletes
• Restricting an inner or outer join
• Links and Resources

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.

<?php
header("Location: http://www.example.com");
?>

Here’s a little tip: use the exit statement right after you redirect.

Why? Imagine this: You have some code that runs after the redirect (the user was redirected because he did not have the correct permissions to view the page), and that code updates the user table to change some sensitive data. Obviously, you wouldn’t want that code to run after the player is redirected, but it could happen.

By using exit immediately after the redirect, you can stop any other code from executing, and make sure that nothing goes wrong!

The development environment comes into play for both these circumstances. There are a number of ways to setup your development environment. The solution is both short and sweet.

Please keep in mind this is only good for development teams of 1 or 2 individuals, you will need to do much more if your team consists of 3+ developers/coders.

I tend to use Uniform Server (http://www.uniformserver.com) as my environment. It’s a simple download you unzip and click a “start” executable. Yes, this is a Windows solution however, there are a number of alternative solutions, just search for LAMP on google.

It runs Apache, mySQL and PHP with a number of utilities. The great part is it’s less then 2GB so it fits on a flash drive, this means you can work on any windows, anywhere.

I use that to develop on my local machine. Once I am ready, I ftp my changed files to the site. (After making the database changes)

Every so often I will download the entire site from production and over write my development file. This helps keep my local version from getting to far from the production version.

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.